[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8685) Invalid memory access

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8685) Invalid memory access
From: hyc@symas.com
Date: Fri, 07 Jul 2017 13:54:15 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Breno Leitao wrote:
> Hello Howard,
> 
> On Thu, Jul 06, 2017 at 08:55:01PM +0100, Howard Chu wrote:
>> leitao@debian.org wrote:
>>> Full_Name: Breno Leitao
>>> Version: upstream
>>> OS: Debian
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (32.104.18.202)
>>>
>>>
>>> Currently, do_random() function in tests/progs/slapd-mtread.c uses a random
>>> number (upto RAND_MAX) to access an array that is much smaller than RAND_MAX,
>>> causing a segfault.
>>>
>>> This causes a segmentation fault and more details could be found at
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866122
>>>
>>>
>> Thanks for the report. I've examined your proposed patch in your debian
>> bugtracker. It doesn't make much sense though.
>>
>> The random number is being correctly scaled, line 682:
>>
>> int r = ((double)nvalues)*rand()/(RAND_MAX + 1.0);
>>
>> Which means the value of r can only be from 0 to nvalues-1.
>>
>> And there should be no difference between nvalues and i, since on line 657:
>>
>> nvalues = ldap_count_entries( ld, res );
>>
>> Since i is simply iterated through all of the entries in the response, the
>> two values cannot disagree.
> 
> Thanks for looking at it, and your suggestion made me revisit it. let me
> share I am finding in the debug. This is the failure frame:

You cannot possibly diagnose this with an optimized binary. You're missing 
several crucial variables.

Your analysis here is completely invalid.
> 
>         #5  do_read (ld=0x3fff980008e0, entry=0x6e6d756c413d756f <error: Cannot access memory at address 0x6e6d756c413d756f>,
>            attrs=0x20020058 <srchattrs>, noattrs=<optimized out>, maxloop=<optimized out>, maxretries=<optimized out>, force=<optimized out>,
>            idx=<optimized out>, chaserefs=<optimized out>, delay=<optimized out>, nobind=<optimized out>) at ../../../../tests/progs/slapd-mtread.c:791
> 
> On this frame, these are the values we have:
> 
>         i = 0
>         do_retry = 0
>         rc = <optimized out>
>         thrstr = "Read(1): entry=\"0 cnt: 1 (retried 0) (dc=example,dc=com)\000u=Alumni Association,ou=People,dc=example,dc=com)\000mple,dc=com)", '\000' <repeats 6641 times>...
>         e = <optimized out>
>         attrs = {0x200072a0 "1.1", 0x0}
>         rc = 0
>         nvalues = <optimized out>
>         res = 0x3fffa0001ac0

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8687) openldap fails to link w/ openssl 1.1 built w/ no-egd
Next by Date: (ITS#8688) Is it possible to control on the failover of backend LDAP?
Index(es):
- Chronological
- Thread